OWASP SCS Checklist¶
The OWASP Smart Contract Security Checklist helps you verify compliance with SCSVS controls and SCSTG test cases.
- Security Assessments / Pentests: cover the standard attack surface and start exploring.
- Standard Compliance: includes SCSVS and SCSTG.
- Learn & practice smart contract security skills.
- Bug Bounties: step-by-step coverage of the attack surface.
Track your audit progress in-browser: check items off, filter by status, export results.
Using the Checklist in Security Audits¶
Use the checklist to structure engagements and ensure consistent coverage:
- Scoping: Filter by category (Architecture, Access Control, Oracle, etc.) to align with project scope.
- Prioritization: Focus on Critical and High severity items first; use the priority filter.
- Progress tracking: Mark items complete as you verify; export JSON/CSV for reports.
- Gap analysis: Compare coverage against SCSVS to identify missing or weak controls.
What to Check During Audits¶
| Area | Key Checks |
|---|---|
| Architecture | Upgrade mechanisms, proxy initialization, storage layout, privilege transfers |
| Business Logic | LTV/liquidation math, slippage, flash loan resistance, rounding, token donation attacks |
| Access Control | RBAC, modifiers, init functions, timelocks, arbitrary call prevention |
| Oracles & Pricing | TWAP vs spot, staleness, manipulation vectors, cross-chain consistency |
| Integrations | ERC20/4626 edge cases, fee-on-transfer, rebasing tokens, external call safety |
Code Review Approach¶
- Top-down: Start with architecture and access control; trace privilege flows.
- Entry points: Map all external/public functions and their authorization paths.
- State changes: Track storage writes and cross-contract calls for reentrancy and ordering.
- Math & precision: Verify integer handling, decimal scaling, unchecked blocks.
Protocol Layers to Focus On¶
| Layer | Focus |
|---|---|
| Smart contracts | Core logic, vaults, oracles, governance, upgrade paths |
| Bridges & cross-chain | Message validation, replay protection, sequencer assumptions |
| Off-chain indexers / APIs | Input validation, rate limits, authentication |
| Frontends | Wallet connection, transaction signing UX, error handling |
Web2 & Web2.5 Components¶
When auditing full-stack dApps, also verify:
- Backend APIs: Auth (JWT/session), input sanitization, rate limiting, CORS.
- RPC nodes / subgraphs: Data integrity, caching, failure handling.
- Signing flows: Key storage, session management, approval flows.
- Third-party SDKs: Wallet connectors, price feeds, analytics—trust boundaries.
Related Resources¶
- SCSVS Controls – Full verification standard
- SCSTG Tests – Testing guide
- SCWE Weaknesses – Weakness enumerations